VLER/DAS Certificate updates 2014

Please note that these certificates have been issued by a different CA Chain than were the previous certificates.

The old CA Chain was:

GTE CyberTrust Global Root
- CyberTrust Public Issuing CA 1
-- <issued server certificate>

If the VLER/DAS server instance to which you connect is the ONLY server using the above CA Chain, you can remove those certificates from your trust stores once the new VLER/DAS certificates become active.  If your automation connects to any other servers that use the GTE CA Chain above, you should leave the chain in your trust.

If you don't know, then to err on the side of Security, remove the two CyberTrust CA certificates listed above.  You can always reinstall them later if needed.

The CA Chain that is providing updated Public-facing certificates for VLER-DAS servers is as follows:

Federal Common Policy CA  		(file: Fed_CA_root.cer)
- Betrusted Production SSP CA A1	(file: Fed_BeTrusted_CA1.cer)
-- Veterans Affairs Device CA B2	(file: Fed_VAD_CA2.cer)
--- <issued server certificate>		(file: <serverFQDN>.cer)

If the new CA Chain listed above is already in your automations's trust, you do not have to add these again. No action should be necessary to retain SSL connectivity; when the new certificates activate on the VLER/DAS server instance, your automation should recognize it and continue to function.

If the new CA Chain listed above is NOT in your automation's trust, you should (at least) add the Federal Common Policy CA, then the others, in order, if needed.

At the minimum, the root CA listed above should be installed.  Most automation should work if that trust is included.

Adding only the (3) CA certificates should work to allow any future VLER/DAS updates from this same CA Chain.  It should not be necessary to add the actual server certificate in the trust, unless your automation requires it.

Adding all the new certificates listed above will guarantee the trust will work.

Note that since these certificates are all issued by the same CA Chain, any peer that installs these in their trust stores will trust connections to and from any VLER/DAS server, and from any server presenting a certificate issued by any of these CAs.
A trusted certificate does NOT carry implied access controls.

Connections points for the certificates are as follows:

Development:	server.domain  	(external: devvler.domain)
Silver Test: 	server.domain  	(external: silvervler.domain)
Gold Test:	server.domain  	(external: goldvler.domain)

Production:	server.domain      	(external: vler.domain)
(Alternate:)	server.domain  		(same)

Questions or problems, please contact the SDE Support Team at: PII                     

20140414


